ARCON hosted a webinar featuring Forrester to discuss the essence of identity-centric security approach in modern-day context. On November 12th, 2024, Harshavardhan Lale, VP – Business Development, ARCON and guest speaker Geoff Cairns, Principal Analyst, Forrester shared their insights on why and how the proliferation of identities is affecting the IT security infrastructure of modern enterprises. The identities include human identities, machine identities, privileged identities, administrative identities and more.
During the first half of the webinar, Harshavardhan from ARCON highlighted the identity-first security approach for safeguarding organizations. He also discussed how identity risk management leaders can strengthen their security posture with cutting-edge technologies. Below are the key takeaways from the first half of the session:
- Harshavardhan started his session with very basic insights of identities and the variety of identities that exist in IT infrastructure. The evolution of digital identities is not yet over. In fact, a lot more is about to come in the next five years.
- Digital identities drive business models with growth, efficiency, and excellence that is directly involved in profit-making and revenue generation. If we try to construct a digital identity, there are several parameters that are considered. Personal thoughts, likes, dislikes, professional details, online activities/ behaviour, which tools are used, where the information is stored/ saved etc. are taken into account.
- If we classify the types of digital identities, there are interactive identities and non-interactive identities. Interactive identities include human identities and machine identities (bots). Non-interactive identities include mobile devices, desktops, APIs, web servers, database servers, application servers and more.
- The typical challenges that organizations face with identities are – lack of detailed password policies, weak and reused passwords, poor role management, too many admin accounts, auditing and compliance, multiple devices per user and more.
- Harshavardhan added that there are different identity-based attacks that are dominant in enterprises. Some of them are – Credential Harvesting, Credential Stuffing, Social Engineering, Password-based attacks, Third/ Fourth party breaches, Attacks on AD, Kerberoasting, Pass-the-hash, Shoulder Surfing and more.
- At the same time, he explained why identity is at the core of a Zero Trust approach and Identity Centric Security will have to be built on Convergence of IAM, PAM, and IGA with Contextual Data Models.
Harsh added his discussion with the reasons why identity-centric security is essential in modern context. They are –
- Increased Cyber Threats
- Remote Work and Cloud Adoption
- Regulatory Compliance
- Zero Trust Security Model
- User Experience
- Dynamic Threat Landscape
- Integration of Emerging Technologies: OT, IoT, AI, and machine learning
According to him, some key features of identity-centric security are –
- Certificate-based authentication
- Risk-based adaptive step-up authentication
- Automated certificate lifecycle management
- End-to-end encryption
- Multi-cloud ready
- Compliance management
- Post-quantum-ready solutions
- Built-in crypto-agility and certificate authority (CA) resilience
- Public and private PKI
- Centralized visibility and control of digital certificates
Before concluding his session, Harshavardhan gave some crucial organizational details of ARCON, a brief introduction of all the IAM solutions of ARCON and how the organization is acknowledged by global analysts’ communities consecutively in the last several years. Nevertheless, Harshavardhan also added that ARCON provides its services to multiple industry segments globally and thus it caters to the essential requirements of identity-centric security approach.
In the latter half of the webinar, Geoff Cairns from Forrester discussed why securing your organization’s core assets is more critical amid proliferation of human and machine identities. The key takeaways from his session are as follows.
- Based on data from Forrester’s 2023 Security Survey, it has been observed that the customers are struggling with the complexity of their IT environment. The challenge is more around centralized visibility that can lead to identity sprawl such as orphan accounts over privileged users and over-permissioned accounts (or over-entitlements).
- Geoff added that the evolving threat landscape is both internal and external. The hackers are capitalizing on identity-based attacks where legacy systems often are in tech silos leading to gaps in IT processes. This is further evidenced by organizations that have recently been in the news. United healthcare had acquired Change Healthcare a couple of years ago. During the process unfortunately, the organization failed to put MFA on some externally facing servers, and that resulted in identity abuse by phishing the credentials with the help of social engineering techniques.
- Referring to the Forrester Security Survey once again, Geoff presented some primary drivers that resulted in purchasing of IAM solutions in the last 12 months. 26% of respondents (security decision makers responsible for IAM security) indicated that a top driver was replacing an existing IAM solution that was ineffective or too costly. 25% responded that cloud migration requires new IAM solutions to meet the necessary security and compliance requirements in the organization.
- Continuing with the legacy IAM technology, it is a fact that with the passage of time, any IAM solution becomes less secure, inadequate robustness of the features, difficult to upgrade and costly to operate. Interestingly, it is increasing every year. The technology replacement trends that are seen in 2022, have turned more challenging in 2023 and onwards.
- Adding to what Harsh discussed earlier, Geoff emphasized that identity-centric security is the key to adherence to the core principles of Zero Trust.
Geoff also discussed the dynamic accelerators for identity security namely –
- Cloud and SaaS adoptions
- DevOps methodology
- Machine Identities
- Extended third parties
- Organizational amendments
Adding some essentials for identity-centric security approach, Geoff discussed the key areas –
- Visibility and Governance
- Identity Lifecycle Automation
- Just-In-Time Access and Zero Standing Privileges
- Identity Threat Intelligence
- Integrated response
Conclusion
Before the final wrap, the webinar concluded by discussing several questions raised by the participants and moderated by Apratim Maity from ARCON’s marketing team. Both Geoff and Harsh shared their valuable insights and recommendations while answering the questions one by one.